Privacy Policy

1. Who This Policy Applies To

This policy applies to:

• Customers — individuals and organisations that create a bael.ai workspace and use the platform for recruitment
• Team members — individuals invited to join a Customer's workspace
• Visitors — anyone who visits bael.ai or our public pages

This policy does not govern the personal data of job applicants who apply via a bael.ai-powered careers page. Applicant data is controlled by the employer (our Customer), who is responsible for their own applicant-facing Data Protection Notice.

2. What Data We Collect

2a. Account & Profile Data

When you create an account we collect:

• Name and email address (via Google OAuth)
• Profile photo (from your Google account, if provided)
• Workspace name and slug you create

2b. Usage & Activity Data

• Actions taken within the platform (jobs created, candidates added, stages moved)
• Feature usage — which tools and AI features you use, and how frequently
• Session timestamps and browser/device metadata (for security and debugging)

2c. Billing Data

• Subscription plan, billing cycle, and payment history
• Payment card details are never stored by Bael — all payment processing is handled by Stripe, a PCI-DSS-certified provider

2d. Integration Data

If you connect third-party services:

• Gmail: access tokens to read recruitment-related emails. We access only the scopes you grant and do not read emails unrelated to recruitment.
• LinkedIn: OAuth tokens to publish job postings on your behalf
• Telegram: your Telegram user ID to deliver workspace notifications

2e. Customer Content

Job descriptions, candidate profiles, pipeline notes, uploaded resumes, and any other content you create or upload while using the platform.

3. How We Use Your Data

We use your data to:

• Provide the Service — create and manage your workspace, process your jobs and candidates, and operate all platform features
• Improve AI features — aggregated, anonymised usage patterns help us improve our AI models. We never use identifiable candidate data to train models.
• Process billing — manage subscriptions, invoices, and payment events via Stripe
• Send transactional communications — account invitations, billing receipts, password resets, and important service announcements
• Ensure security — monitor for fraud, abuse, and unauthorised access
• Comply with law — meet our legal obligations under applicable Kenyan and international law

We do not sell your personal data. We do not use your data for advertising or share it with data brokers.

4. Legal Basis for Processing

We process your personal data on the following legal bases:

• Contract — processing necessary to provide the Service you signed up for
• Legitimate interests — security monitoring, fraud prevention, and service improvement
• Legal obligation — where we are required to process data to comply with the law
• Consent — for optional integrations (Gmail, LinkedIn, Telegram) where you explicitly authorise access

5. Data Sharing & Sub-processors

We work with a small number of trusted third-party providers to operate the platform. Each sub-processor is bound by data processing agreements and handles your data only as instructed by us:

We do not share your data with any other third parties except when required by law or with your explicit consent.

6. Data Security

We take security seriously and implement the following measures:

• All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
• Database access is restricted to authenticated users via Row Level Security (RLS) — each workspace can only access its own data
• File uploads are stored in private, access-controlled cloud storage
• OAuth tokens for third-party integrations are stored encrypted and never exposed client-side
• Automatic session expiry after 30 minutes of inactivity
• All administrative access to production systems is logged and audited

If you discover a potential security vulnerability, please report it responsibly to security@bael.ai. We take all reports seriously and will acknowledge them within 48 hours.

7. Data Retention

• Active accounts: data is retained for as long as your workspace is active
• After cancellation: workspace data is retained for 90 days to allow data export, then permanently deleted
• Billing records: retained for 7 years as required by financial regulations
• Security logs: retained for 12 months for fraud and incident investigation

You can export your data at any time from your workspace settings. You can request earlier deletion by contacting privacy@bael.ai.

8. Your Rights

Under the Kenya Data Protection Act, 2019 (and equivalent laws in other jurisdictions), you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete information
• Erasure — request deletion of your account and personal data
• Portability — receive your data in a structured, machine-readable format
• Withdraw consent — for integrations authorised by consent (Gmail, LinkedIn, Telegram)
• Object — to specific processing activities
• Complaint — lodge a complaint with the Office of the Data Protection Commissioner (ODPC) at www.odpc.go.ke

To exercise any of these rights, contact us at privacy@bael.ai. We will respond within 30 days.

9. Cookies

bael.ai uses minimal cookies, limited to what is strictly necessary to operate the platform:

• Authentication cookies — to keep you signed in during your session
• Preference cookies — to remember UI settings (e.g., active workspace)

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that follow you across other websites. You can clear cookies at any time via your browser settings, though this will sign you out of the platform.

10. Children's Privacy

bael.ai is a professional recruitment platform intended for adults aged 18 and over. We do not knowingly collect or process personal data from children under 18. If you believe a minor has created an account, please contact us immediately at privacy@bael.ai and we will delete the account promptly.

11. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will notify you by email and display a prominent notice in the platform. The updated policy will include a new version number and effective date. Continued use of bael.ai after the effective date constitutes acceptance of the updated policy.

12. Contact

For all privacy-related enquiries:

• Email: privacy@bael.ai
• Postal: Bael Technologies Ltd, Nairobi, Kenya

You may also contact the Office of the Data Protection Commissioner (ODPC) of Kenya at www.odpc.go.ke if you believe your rights have been violated.